OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Draft-sstc-sec-consider-03.doc

> >The attack described in section 3.4 of the document you reference is
> >based on two assumptions
> >1) The client does not verify certificate chains all the way to a
> >trusted CA (in the example attack the malicious party presents a
> >self-signed bogus certificate)
> The "client" is unfortunately a *human*  that just gets a 
> hint that something
> is not correct but he/she may click "Continue" to ignore.  
> And maybe even select to
> trust the next time.  This is the problem with ad-hoc PKI as 
> Dug correctly points
> out.  This is also probably the weakest spot in SAML, 
> assuming that servers
> are not too easy to hack into.

Your argument here amounts to: "The system may notice that the signature
is wrong, and tell the user, but the user might ignore that warning". I
can't argue with this, but I don't think it's a relevant point. It's the
equivalent to arguing that the waiter might not notice (or might not
care) that I signed "Bob Villa" on my credit card slip.

> >2) The server does not require a verified client certificate.
> This is by far the most likely use-case for SAML SSO-scenarious as far
> as I know, assuming the server is the target server in SSO.
> Personal opinion: Client-certs in inter-organization 
> activities like extranet
> authentication will due to SAML et. al. never be of any significance!

In every case where there is a threat that can be attenuated by
bilateral authentication, we point this out in the document. It is
further explained that for session-based systems this means client
certificates are required. If people choose it ignore that, then they
are making an informed choice and are opening themselves to the
risks--risks that are outlined in the document. The purpose of the
document is to allow people to make informed choices.

Personal opinion: B2B web services will drive certificate systems
forward because serious businesses won't play games with security, and
individuals will follow in the wake. 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC